1 files changed, 25 insertions, 0 deletions

diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch
new file mode 100644
index 000000000000..c5755a49ce1a
--- /dev/null
+++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch
@@ -0,0 +1,25 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption	2009-09-29 13:01:35.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp	2010-02-04 15:00:24.778776273 +0100
+@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp
+     return false;
+ }
+ 
++static bool isValidFormatFunction(CSSParserValue* val)
++{
++    CSSParserValueList* args = val->function->args;
++    return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT);
++}
++
+ bool CSSParser::parseFontFaceSrc()
+ {
+     RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated());
+@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc()
+                     CSSParserValue* a = args->current();
+                     uriValue.clear();
+                     parsedValue = CSSFontFaceSrcValue::createLocal(a->string);
+-                } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) {
++                } else if (allowFormat && uriValue && isValidFormatFunction(val)) {
+                     expectComma = true;
+                     allowFormat = false;
+                     uriValue->setFormat(args->current()->string);